The role of internal audit is shifting by the second. No longer just a step in an overall business sanity check, this department is ready to become your company’s command center for risk – thanks to cutting-edge technology. During a recent SAP Game-Changers radiocast, panelists Paul Sobel, VP and chief audit executive for Georgia-Pacific LLC; Carey Oven, partner and leader for the internal audit transformation market offering in Deloitte and Touché LLP; and Bruce McCuaig, director of solution marketing for SAP solutions for governance, risk, and compliance discuss this burgeoning trend.
Move from manning your post to seeking opportunities
Sobel immediately tries to debunk the myth of the bean-counting auditor with no imagination, and Oven agrees. “I actually think internal audit can be very entrepreneurial. It can be very insightful and value driven because we have a very wide purview on business and what’s going on within our organizations.”
The need for innovation is definitely present. McCuaig describes a survey he conducted of about 150 auditors at the IIA International Conference in London. 54% of respondents believe that technology will fundamentally change how audit services are performed and measured – but only 14% said that the current audit management and analysis tools meet their needs.
So what types of tools could fill this gap? According to Sobel, it’s visual analytics in the form of dashboards. Instead of focusing on pure numbers, auditors must focus on ways to unleash the data and make it a powerful tool for management.
McCuaig concurs. “I haven’t seen anyone getting on a corporate jet reading a 13-page audit report. It’s important to distill down the information to a dashboard to help them drive insights. But simplicity takes a huge amount of work.” Such work can’t be completed without tech-enabled systems in which management must be willing to invest.
Outlining the responsibilities of management vs. the audit
As the role of the audit morphs, it becomes ever more important to make the distinction between what role the audit plays and what role management must play.
McCuaig believes it’s time to stop counting the number of audits performed and start measuring the amount of knowledge they create. As the role evolves into a command center for risk, he looks forward to redefining the role of the auditor as one that can be proactive rather than simply reactive.
Sobel emphasizes that management must determine the organization’s risk tolerance in order for the audit to provide maximum value. No company’s risk can be completely eradicated, so how much risk can a business tolerate? Management owns risk and must answer this question so auditors can focus on aspects other than risk – adding more value to their role and the company.
If risk tolerance is increased, “We start to pull away from the lengthy and laborious text-based audit reports and start to get into those quicker messages – whether it’s literally Twitter or something else,” says Sobel. “I think our value will come to fruition more quickly than perhaps it does even today.”
To learn more about how audit is becoming a command center for risk, listen to the full radiocast.